Consider changing the default value of proxy_ssl_verify_depth

[Hill-98]

Feature Overview

The latest Let's Encrypt certificates utilize two intermediate certificates, which causes the default proxy_ssl_verify_depth 1 to throw an unable to get local issuer certificate error. Is it possible to change this default value?

Alternatives Considered

No response

Additional Context

https://letsencrypt.org/2025/11/24/gen-y-hierarchy.html

[github-actions]

👋 Thanks for opening this issue and contributing to the NGINX project!
A maintainer will review it and follow up when possible. We appreciate your support.

[ac000]

Right, yeah. I actually hit this myself a while back.

These seem to be the places that would need updating

src/stream/ngx_stream_proxy_module.c:2472:          prev->ssl_verify_depth, 1);
src/http/modules/ngx_http_uwsgi_module.c:1936:      prev->ssl_verify_depth, 1);
src/http/modules/ngx_http_grpc_module.c:4522:       prev->ssl_verify_depth, 1);
src/http/modules/ngx_http_proxy_module.c:3918:      prev->ssl_verify_depth, 1);

This is the error you get

2026/06/01 20:36:23 [error] 184385#0: *1 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: ::1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://[2001:db8::1]:443/", host: "localhost:8080

When you have proxy_ssl_verify on;

This patch seems to do the trick

diff --git ./src/http/modules/ngx_http_grpc_module.c ./src/http/modules/ngx_http_grpc_module.c
index 4a47b74c5..5f0b510c2 100644
--- ./src/http/modules/ngx_http_grpc_module.c
+++ ./src/http/modules/ngx_http_grpc_module.c
@@ -4519,7 +4519,7 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_value(conf->upstream.ssl_verify,
                               prev->upstream.ssl_verify, 0);
     ngx_conf_merge_uint_value(conf->ssl_verify_depth,
-                              prev->ssl_verify_depth, 1);
+                              prev->ssl_verify_depth, 2);
     ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
                               prev->ssl_trusted_certificate, "");
     ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
diff --git ./src/http/modules/ngx_http_proxy_module.c ./src/http/modules/ngx_http_proxy_module.c
index 7e08df702..6452b39c7 100644
--- ./src/http/modules/ngx_http_proxy_module.c
+++ ./src/http/modules/ngx_http_proxy_module.c
@@ -3915,7 +3915,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_value(conf->upstream.ssl_verify,
                               prev->upstream.ssl_verify, 0);
     ngx_conf_merge_uint_value(conf->ssl_verify_depth,
-                              prev->ssl_verify_depth, 1);
+                              prev->ssl_verify_depth, 2);
     ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
                               prev->ssl_trusted_certificate, "");
     ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
diff --git ./src/http/modules/ngx_http_uwsgi_module.c ./src/http/modules/ngx_http_uwsgi_module.c
index cb03ca77c..9ace6b04b 100644
--- ./src/http/modules/ngx_http_uwsgi_module.c
+++ ./src/http/modules/ngx_http_uwsgi_module.c
@@ -1933,7 +1933,7 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_value(conf->upstream.ssl_verify,
                               prev->upstream.ssl_verify, 0);
     ngx_conf_merge_uint_value(conf->ssl_verify_depth,
-                              prev->ssl_verify_depth, 1);
+                              prev->ssl_verify_depth, 2);
     ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
                               prev->ssl_trusted_certificate, "");
     ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
diff --git ./src/stream/ngx_stream_proxy_module.c ./src/stream/ngx_stream_proxy_module.c
index 22826ef79..887ae3a0f 100644
--- ./src/stream/ngx_stream_proxy_module.c
+++ ./src/stream/ngx_stream_proxy_module.c
@@ -2469,7 +2469,7 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_value(conf->ssl_verify, prev->ssl_verify, 0);
 
     ngx_conf_merge_uint_value(conf->ssl_verify_depth,
-                              prev->ssl_verify_depth, 1);
+                              prev->ssl_verify_depth, 2);
 
     ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
                               prev->ssl_trusted_certificate, "");